CyberCyberattacks and Operational Disruption
Q1 2024
Cyber risk is an evolving and often misunderstood class of risk. Rapid technological change, the ever-increasing reach and skills of hackers, and the unpredictability and often unexpected cost of cyber events compound the challenges and increase the stakes for cyber risk protection.
There are many varieties of cyberattacks. The most frequent are denial of service (DOS), data breaches, ransomware, theft of proprietary information, theft of financial resources, and disruption of supply chains. The common denominator in each of these is the disruption of operations within the organization. Shortterm losses from ransom settlements and even financial cybertheft can pale in comparison to the long-term costs incurred due to an operational disruption.
Business operation disruption, with its inherent loss of productivity and revenue, is always a concern for business leaders. A recent study found that cyberattacks are considered the most likely cause of business disruption for leaders of companies of all sizes.1 The financial costs can be significant.
These costs arise in various areas, and business leaders must identify both the possible and likely scope of potential impacts from an operational disruption in their company.
A recent analysis from Deloitte found that business leaders tend to gravitate toward calculating the more easily quantifiable costs from a cyber incident 鈥 the breach of customer and employee records, for example, along with legal judgments and penalties 鈥 and less on the costs related to more serious impacts, including the disruption of operations. Although these are more difficult to quantify, their cascading impacts represent a more severe threat to the business鈥檚 long-term viability.2
Fortunately, there are models to estimate operational disruption costs and best practice recovery techniques, such as establishing Recovery Time Objectives and incident response plans for critical systems and applications. In combination, these steps enable business leaders to manage cyber risks more completely and plan for a stronger recovery.
Clorox庐 Company
The consumer-products giant Clorox庐 Company was the victim of a catastrophic cyberattack in Q3 2023, and Q1 2024 results suffered significantly: 鈥淥rder processing delays and significant product outages鈥 dented quarterly sales by 23-28%. That鈥檚 likely well over $500 million in lost revenue.3
Southwest Airlines
A network outage that hit Southwest Airlines in 2016 caused the cancellation or delay of more than 2,000 flights. The price tag was pegged at $82 million in increased costs and lost revenue 鈥 and that doesn鈥檛 consider the public relations impact nightmare and loss of goodwill. Southwest blamed a faulty router, which it says prompted a widespread network system failure.4
Do we have an incident response plan (IRP) that addresses cyber events?
Do we practice proper cyber hygiene?
Do we have good information governance practices?
Have we considered and purchased cyber insurance?
Most organizations rely on thirdparty technology service providers for critical functions. For example, automated inventory systems and cloud-based collaboration platforms are deeply embedded into business operations. If a company鈥檚 critical service provider is the source of a prolonged attack, this also can substantially disrupt the company鈥檚 operations. Companies should account for this risk in their business impact analyses.
Cyber insurance was introduced more than 25 years ago to address new and emerging risks not contemplated in traditional Property & Casualty policies. While these cyber policies have evolved to address additional risks, at their core, they are like traditional insurance with similar coverage provisions, such as business interruption and property damage. Some of the notable benefits include:
Information and operational technology advances will continue to drive scale and efficiencies, helping companies innovate and differentiate in their markets. Unfortunately, these rapid changes come with risks 鈥 most notably, the potential for operational disruption when they fail or are compromised.
This is the primary reason cyber risk is consistently ranked as an organization鈥檚 top concern. The unknown volatility associated with disruption from a successful cyberattack can lead to substantial financial loss and, in the worst cases, bankruptcy.
Every organization should take a proactive approach to managing and measuring these emerging risks. Cyber insurance is now an essential corporate finance tool to assist with reducing this volatility. After all, cyber insurance is a blend of risk mitigation tools, a financial backstop, an information-sharing medium, and a source of predictive analysis.
Tim Burke
EVP, Head of Cyber | Commercial E&O
William Boeck
EVP, Cyber Product Leader
Angela Thompson
Sr. Marketing Specialist, Market Intelligence & Insights
Brian Leugs
Writer